Agile and Secure: OWASP AppSec Seattle Oct The OWASP Foundation

Transcription

1 Agile and Secure: Can We Be Both? OWASP AppSec Seattle Oct 2006 Dan Cornell, OWASP San Antonio Leader Principal, Denim Group Ltd. (210) Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit The OWASP Foundation

2 The Agile Practitioner s Dilemma Agile Forces: More responsive to business concerns Increasing the frequency of stable releases Secure Forces: More aggressive regulatory environment Increasing focus on need for security Decreasing the time it takes to deploy new features Traditional approaches are top-down, document centric OWASP AppSec Seattle

3 Objectives Background Goals of Agile Methods Goals of Secure Development Lifecycle (SDL) Review the Momentum of Agile Methods Look at An Integrated Process Challenges & Compromises OWASP AppSec Seattle

4 Background Dan Cornell Principal Pi i lof fdenim Group, Ltd. MCSD, Java 2 Certified Programmer Challenges facing our own agile teams Deliver projects in an economically-responsible manner Uphold security goals OWASP AppSec Seattle

5 Notable Agile Methods extreme Programming (XP) Feature Driven Development (FDD) SCRUM MSF for Agile Software Development Agile Unified Process (AUP) Crystal Clear Dynamic Systems Development Method (DSDM) OWASP AppSec Seattle

6 Manifesto for Agile Software Development Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration ation over contract negotiation Responding to change over following a plan Source: OWASP AppSec Seattle

7 Agile s Core Values Communication Simplicity Feedback Courage OWASP AppSec Seattle

8 Principles of Agile Development Rapid Feedback Simple Design Incremental Change Embracing Change The system is appropriate for the intended audience. The code passes all the tests. The code communicates everything it needs to. The code has the smallest number of classes and methods. Quality Work OWASP AppSec Seattle

9 Agile Practices The Planning Game The Driving Metaphor Customer:scope, priorities and release dates Developer: estimates, consequences and detailed scheduling Shared Vision On-Site Customer Small Releases Development iterations or cycles that last 1-4 weeks. Release iterations as soon as possible (weekly, monthly, quarterly). OWASP AppSec Seattle

10 More Agile Practices Collective Ownership Test Driven Continuous Integration Coding Standards ds Pair Programming OWASP AppSec Seattle

11 Definition of Secure A secure product is one that protects the confidentiality, integrity, and availability of the customers information, and the integrity and availability of processing resources under control of the system s owner or administrator. -- Source: Writing Secure Code (Microsoft.com) OWASP AppSec Seattle

12 A Secure Development Process Strives To Be A Repeatable Process Requires Team Member Education Tracks Metrics and Maintains Accountability Sources: Writing Secure Code 2 nd Ed., Howard & LeBlanc The Trustworthy Computing Security Development Lifecycle by Lipner & Howard OWASP AppSec Seattle

13 Secure Development Principles SD 3 : Secure by Design, Secure by Default, and in Deployment Learn From Mistakes Minimize i i Your Attack Surface Assume External Systems Are Insecure Plan On Failure Never Depend on Security Through Obscurity Alone Fix Security Issues Correctly OWASP AppSec Seattle

14 Secure Development Practices Education, Education, Education Threat Modeling Secure Coding Techniques Security Testing Security Code Reviews OWASP AppSec Seattle

15 Microsoft s Secure Development Lifecycle (SDL) Requirements Design Implementation Verification Release (Waterfall!) OWASP AppSec Seattle

16 Observations of the SDL in Practice Threat Modeling is the Highest-Priority Component Penetration Testing Alone is Not the Answer Tools Should be Complementary OWASP AppSec Seattle

17 Threat Modeling STRIDE classify threats Spoofing Identity Tampering with Data Repudiation Information Disclosure Denial of Service Elevation of Privilege DREAD rank vulnerabilities Damage Potential Reproducibility Exploitability Affected Users Discoverability OWASP AppSec Seattle

18 Dr. Dobb s says Agile Methods Are Catching On 41% of organizations have adopted an agile methodology Of the 2,611 respondents doing agile 37% using extreme Programming 19% using Feature Driven Development (FDD) 16% using SCRUM 7% using MSF for Agile Software Development Source: p OWASP AppSec Seattle

19 Agile Teams are Quality Infected 60% reported increased productivity 66% reported improved quality 58% improved stakeholder satisfaction OWASP AppSec Seattle

20 Adoption Rate for Agile Practices Of the respondents using an agile method 36% have active customer participation 61% have adopted common coding guidelines 53% perform code regression testing 37% utilize pair programming OWASP AppSec Seattle

21 Let s Look at Some Specific Agile Methods extreme Programming (XP) Feature Driven Development (FDD) SCRUM MSF for Agile Software Development OWASP AppSec Seattle

22 extreme Programming (XP) OWASP AppSec Seattle

23 Feature Driven Development (FDD) Develop an Overall Model Startup Phase Build Features List Planning Design by Feature Build by Feature Construction Phase Source: OWASP AppSec Seattle

24 SCRUM Commonly Used to Enhance Existing Systems Feature Backlog 30 Day Sprints Daily Team Meeting Source: OWASP AppSec Seattle

25 MSF for Agile Software Development Adapted from the Spiral / Waterfall Hybrid Product definition, development and testing occurs in overlapping iterations Different iterations have a different focus OWASP AppSec Seattle

26 An Integrated Process Making Agile Trustworthy OWASP AppSec Seattle

27 Project Roles Product Manager / Customer Program Manager / Coach Architect Developer Tester Security Adviser OWASP AppSec Seattle

28 Project Setup Education & Training (include Security) Developers Testers Customers User Stories / Use Case Development Architecture Decisions (spikes) Agree on Threat Modeling standards for the project STRIDE priorities DREAD ratings OWASP AppSec Seattle

29 Release Planning User Stories / Use Cases Drive Acceptance Test Scenarios Estimations may affect priorities and thus the composition of the release Inputs for Threat Modeling Security Testing Scenarios Determine the qualitative risk budget Keep the customer involved in making risk tradeoffs Finalize Architecture & Development Guidelines Common Coding Standards (include security) Crucial for collective code ownership Conduct Initial Threat Modeling (assets & threats) Designer s s Security Checklist OWASP AppSec Seattle

30 Iteration Planning 1-4 Weeks in Length (2 weeks is very common) Begins with an Iteration Planning Meeting User Stories are broken down into Development Tasks Developers estimate their own tasks Document the Attack Surface (Story Level) Model the threats alongside the user story documentation Crucial in documentation-light processes Capture these and keep them Code will tell you what decision was made, threat models will tell you why decisions were made Crucial for refactoring in the face of changing security priorities Never Slip the Date Add or Remove Stories As Necessary OWASP AppSec Seattle

31 Executing an Iteration Daily Stand-ups Continuous Integration Code Scanning Tools Security Testing Tools Adherence to Common Coding Standards d and dsecurity Guidelines Crucial for communal code ownership Developer s Checklist OWASP AppSec Seattle

32 Closing an Iteration Automation of Customer Acceptance Tests Include l d negative testing ti for identified d threats t Security Code Review Some may have happened informally during pair programming OWASP AppSec Seattle

33 Stabilizing a Release Schedule Defects & Vulnerabilities Prioritize i iti vulnerabilities with client input based on agreed-upon STRIDE and DREAD standards Security Push Include traditional penetration testing OWASP AppSec Seattle

34 Compromises We ve Made Feature-focus in iterations removes some top down control More documentation than is required in pure Agile development Security coding standards Project-specific STRIDE and DREAD standards User story threat models OWASP AppSec Seattle

35 Values of an Agile and Secure Process Communication Simplicity Feedback Courage Trustworthy OWASP AppSec Seattle

36 Questions Dan Cornell Website: Blog: OWASP AppSec Seattle